Mac forensics on Macs? You bet! And it’s easy.
The idea of performing forensics on Macs may seem strange, but the Mac Marshal brings a uniqueness that we don't see often. It is unique because the tool uses many of the native capabilities of the Mac to assist it in performing comprehensive forensic analysis of the OS X release 10+ operating system and closely associated applications. But I am getting ahead of myself.
Mac Marshal is a Mac-based forensic tool that operates within two points of the forensic examination: the triage phase and the analysis phase. While I don't generally refer to the discovery phase of a forensic exam as the triage phase, I have no objection to others doing so. What we really are talking about is getting the lay of the land. We want to know what the file system looks like and -- as is common on Macs -- what virtual machines (VMs) may be present. Mac tools, such as Parallels, provide convenient ways to run multiple operating systems, such as MS Windows, within the Mac environment. In a forensic examination, understanding what VMs are running can lead us to hidden data. Mac Marshal lets you extract the VMs for analysis with your favorite tool set -- perhaps EnCase, FTK or ProDiscover for Windows or Sleuthkit for Linux.
Once the environment has been exposed, the Mac pieces can be analyzed very neatly with Mac Marshal. My first question, of course, is why can I not perform the same analysis with my favorite Windows-based tool? Almost all of them can see the OS X file system. The answer is that Mac Marshal uses Mac tools, such as Spotlight, to see Mac files the way the Mac sees them. So analysis of iPods that have been connected to the suspect computer, for example, reveals all of the file metadata that the Mac is able to see arranged in an easy to use manner.
The big benefit is that if you don't happen to be deeply familiar with the Mac and its associated applications, you can use Mac Marshal and still not miss anything important. I see Macs about once a year, so that ease of analysis was especially attractive to me. Forensic labs are overwhelmed. That is true especially for law enforcement labs, many of which have an evidence locker full of computers awaiting analysis. Being able to handle Macs without having Mac experts on staff is very useful, especially in the production environment that characterizes today's labs.
That brings up an important benefit of this tool: it is not intended as a replacement for other forensic tools. Rather, it is a must-have for every forensics lab that gets Macs in for analysis. At $995, it is an affordable adjunct to the tool set of just about any competent forensics lab.
While it does not make images itself, it will analyze images in multiple formats. It also has the ability to look at a target machine much in the same way that the earlier EnCase preview mode worked. Even though the product is advertised as not writing to the target disk, the vendor recommends that, even so, you use a hardware write blocker. I agree. Explaining to a court why you are certain that the tool didn't write to the disk under analysis, probably is not a good idea.
The tool maintains an audit log of actions that the examiner performs with it and, of course, hashes of files. There is a graphical image search tool and graphics files and their metadata can be exported for deeper analysis. Reporting is a cakewalk and reports can be generated in .pdf, .html or .rtf formats. Some reports lend themselves to tab or comma delimited files, and for those types of reports those formats are available. While the focus of Mac Marshal is the more current versions of OS X, it can go all the way back to earlier versions with a few limitations. The vendor claims that they will have full support for all versions of OS X in an upcoming release.
If you perform forensic analysis and you see Macs, you need this tool. It is affordable, powerful and very easy to use. It is fast, thorough and comprehensive. In short, it does just about everything one would expect a competent computer forensic analysis tool to do. I loved it.